Knockd :: Secure your Server connections
Knockd is a small daemon which allows, deny your network connection to your server. The allocated ports on your machine wait for a specific sequence of connections on the ports which you have defined. If the specified sequence is executed in the correct order, the daemon will open the port and allow connection for a certain time on the ssh port.
Thus, from an external point of view the server has no open connection except for customers who have the sequences of port.
Our example will reveal how to set knockd to establish an ssh connection. The firewall configuration in the data center is made so strong that one can not access the servers from the IP address of the office. So we end up with a problem if we want to connect to servers in the data center from home
What solutions do we have? :
Ask someone to turn off the firewall (very bad idea) or add my current IP address in the firewall filters. Shall we connect to the desktop and then the server datacenter network? Again, we’ll have the same problems with the firewall.
In this particular situation, knockd will be very helpful.
To get a better view of our environment, here is the pattern of our network:
To get a better view of our environment, here is the pattern of our network:
In our example, we’ll proceed to its installation on the PostgreSQL server. The installation as usual is relatively easy:
# Apt-get install knockd
Now for the configuration file / etc / knockd.conf:
[OpenSSH]
sequence = 6666,7532,9123
seq_timeout = 5
command = / sbin / iptables-I INPUT-s% IP%-p tcp – dport 22-j ACCEPT
tcpflags = syn
sequence = 6666,7532,9123
seq_timeout = 5
command = / sbin / iptables-I INPUT-s% IP%-p tcp – dport 22-j ACCEPT
tcpflags = syn
[CloseSSH]
sequence = 9123,7532,6666
seq_timeout = 5
command = / sbin / iptables-D INPUT-s% IP%-p tcp – dport 22-j ACCEPT
tcpflags = syn
sequence = 9123,7532,6666
seq_timeout = 5
command = / sbin / iptables-D INPUT-s% IP%-p tcp – dport 22-j ACCEPT
tcpflags = syn
To send the right combination, we will use the client software and knock:
$ Knock-v 91.207.12.87 6666 7532 9123
You could also use telnet, netcat, hping, etc. …
This command allows us to create an iptables rule with our current IP address so that we can open access to our server if the correct sequence was accepted by knockd:
This command allows us to create an iptables rule with our current IP address so that we can open access to our server if the correct sequence was accepted by knockd:
$ Iptables-L-n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp – 81.132.12.38 0.0.0.0 / 0 tcp dpt: 22
ACCEPT tcp – 192.25.206.10 0.0.0.0 / 0 tcp dpt: 22
DROP tcp – 0.0.0.0 / 0 0.0.0.0 / 0 tcp dpt: 22
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp – 81.132.12.38 0.0.0.0 / 0 tcp dpt: 22
ACCEPT tcp – 192.25.206.10 0.0.0.0 / 0 tcp dpt: 22
DROP tcp – 0.0.0.0 / 0 0.0.0.0 / 0 tcp dpt: 22
As we are here now, a rule was added to the server configuration where knockd installed. Now, we can easily connect via ssh from our home with the IP address 81.132.12.38.
Once I finished working on the server, I will send a new sequence to remove the rule added to the iptables filtering:
$ Knock-v 91.207.12.87 9123 7532 6666
Simple and effective 
Everything works fine but we can go a step further by defining a maximum time for starting the ssh connection. Modify our configuration:
/ Etc / knockd.conf:
[OpencloseSSH]
sequence = 6666,8213,12312,9432
seq_timeout = 5
tcpflags = syn
Start_command = / usr / sbin / iptables-I INPUT-s% IP%-p tcp-syn-dport 22-j ACCEPT
cmd_timeout = 25
Stop_command = / usr / sbin / iptables-D INPUT-s% IP%-p tcp-syn-dport 22-j ACCEPT
[OpencloseSSH]
sequence = 6666,8213,12312,9432
seq_timeout = 5
tcpflags = syn
Start_command = / usr / sbin / iptables-I INPUT-s% IP%-p tcp-syn-dport 22-j ACCEPT
cmd_timeout = 25
Stop_command = / usr / sbin / iptables-D INPUT-s% IP%-p tcp-syn-dport 22-j ACCEPT
As you have noticed, we have changed things:
The number of ports for the sequence is now 4 ports. You can define as many ports as you want and also mix with udp and tcp ports (6666.8213: udp, 12312 tcp, 9432: udp);
We set a maximum time of 25 seconds (optional cmd_timeout = 25) to connect us. After 25 seconds, the rule is deleted and you must restart the sequence to connect. Knockd is a fairly simple to use and allows a little more secure Server. In our example, we have configured for ssh but you can configure it to PostgreSQL, mySQL or any other service.
We set a maximum time of 25 seconds (optional cmd_timeout = 25) to connect us. After 25 seconds, the rule is deleted and you must restart the sequence to connect. Knockd is a fairly simple to use and allows a little more secure Server. In our example, we have configured for ssh but you can configure it to PostgreSQL, mySQL or any other service.
0 comments:
Post a Comment